Facebook punishes app developers found selling user data

Facebook has informed application developers that it's going to crack down on …

Facebook has confirmed that some application developers sold identifying user information to a data broker. The offending developers—not named directly by the company—have been placed on suspension for six months, Facebook wrote in a post on its Developer Blog.

The data in question is supposedly limited to Facebook user ID numbers (UIDs), which were gathered by numerous Facebook apps and subsequently transferred to their respective advertising networks—a behavior that came to light in October. In some cases, the gathering of UIDs was inadvertent due to the way browsers pass information, but the Wall Street Journal discovered that some apps had also scraped other personal information from user profiles and then sold the information—a violation of Facebook's terms of service.

One of the companies buying info, RapLeaf Inc., was found to be linking the UIDs that were gathered by a handful of apps with its own database of users that it cross-checks from other parts of the Internet. Facebook's Mike Vernal wrote in the blog post that RapLeaf "came forward" and agreed to delete all UIDs it had on file, as well as abstain from collecting any more information.

However, the post seemed to indicate (but did not specifically say) that RapLeaf was not the "data broker" in question that was found to be paying developers for Facebook UIDs. Regardless, Facebook developers who were found to be selling data to third parties will be the ones suffering the consequences.

"While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously," Vernal wrote. "As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies."

A number of developers expressed concern in the comments, noting that they sometime share UIDs between apps from the same developer and that this is yet another reason they have to fear their accounts being disabled. Some even noted that they have no involvement in any sort of data brokerage, yet they still managed to fall victim to the new moratorium. Still, Facebook assured them that the repercussions would only affect a handful of developers, though others noted that data brokers don't need Facebook apps to gather user information—they can scrape UIDs and other statistics from publicly accessible API methods.

It's clear that Facebook is intent on cleaning up its image when it comes to user privacy with this latest move. Indeed, Facebook developers shouldn't be selling user info—especially when it violates Facebook's own terms of service. But the fact that data brokers can get the information via other channels just shows that there's still much work to be done before users can feel secure that their personal information is being kept reasonably private by Facebook.